从这个网页截图中,我们可以获取以下关于漏洞的关键信息: 漏洞概述 受影响的产品: 用友空间企业信息 Integration KSOA Platform V9.0 漏洞类型: SQL注入漏洞 漏洞细节 影响的文件: 版本: V9.0 漏洞成因 A SQL injection vulnerability exists in the file of the KSOA. The application accepts untrusted input via the parameter and concatenates it directly into SQL query without proper validation or parameterization, leading to time-based SQL injection in MS SQL Server environment, thereby allowing attackers to manipulate database queries and execute arbitrary SQL commands. 漏洞影响 Attackers can exploit this vulnerability to achieve unauthorized database access, sensitive data leakage, data tampering, and potentially gain administrative control over the database server. This poses a serious threat to the confidentiality, integrity, and availability of the system. POC (proof of concept) Vulnerable URL: http://139.129.39.196:98/worksheet/work_info.jsp Vulnerable Parameter: id Method: GET Reproduction command 建议修复 1. 使用预编译语句: Implement parameterized queries (Prepared Statements) for all database access. This ensures that the database treats user input as data, not executable code. 2. 输入验证: Strictly validate the parameter to ensure it only contains expected characters (e.g., integers only). 3. WAF配置: Deploy a Web Application Firewall (WAF) to detect and block common SQL injection patterns. 4. 错误处理: Disable detailed database error messages on the frontend to prevent information leakage.